Thank you. You can skip the delay. Den lör 21 dec. 2019 19:12Mike Gabriel <sunwea...@debian.org> skrev:
> Package: src:tightvnc > Version; 1.3.9-9 > Severity: important > > Hi Ola et al, > > I have just dput tightvnc 1.3.9-9.1 targetting unstable to DELAYED/10. > > This is the upload's changelog: > > ``` > diff -Nru tightvnc-1.3.9/debian/changelog tightvnc-1.3.9/debian/changelog > --- tightvnc-1.3.9/debian/changelog 2017-01-27 22:08:21.000000000 +0100 > +++ tightvnc-1.3.9/debian/changelog 2019-12-21 10:35:50.000000000 +0100 > @@ -1,3 +1,26 @@ > +tightvnc (1:1.3.9-9.1) unstable; urgency=medium > + > + * Security upload. (Closes: #945364). > + * CVE-2014-6053: Check malloc() return value on client->server > ClientCutText > + message. > + * CVE-2019-8287 (aka CVE-2018-20020): Fix heap out-of-bound write > + vulnerability inside structure in VNC client code. > + * CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client > code. > + * CVE-2018-20022: CWE-665: Improper Initialization vulnerability. > + * CVE-2018-7225: Uninitialized and potentially sensitive data could be > + accessed by remote attackers because the msg.cct.length in > rfbserver.c was > + not sanitized. > + * CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer > than 1MB. > + * Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: > ignore > + server-sent reason strings longer than 1MB (see CVE-2018-20748/ > + libvncserver). > + * CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name > + length received before allocating memory for it and limit it to 1MB. > + * CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c. > + * CVE-2019-15681: rfbserver: don't leak stack memory to the remote. > + > + -- Mike Gabriel <sunwea...@debian.org> Sat, 21 Dec 2019 10:35:50 +0100 > + > tightvnc (1:1.3.9-9) unstable; urgency=high > > * Reverted the transition. Tigervnc is not ready for being a full > > ``` > > The .debdiff for the made upload is attached. Please let me know, if > you want to let it just pass through after 10 days or if I shall > cancel the upload and do the upload to unstable yourself. > > Please also note my proposal to move tightvnc over under the umbrella > of the Debian Remote Maintainers Team (debian-rem...@lists.debian.org). > > Thanks+Greets, > Mike > -- > > mike gabriel aka sunweaver (Debian Developer) > mobile: +49 (1520) 1976 148 > landline: +49 (4351) 486 14 27 > > GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 > mail: sunwea...@debian.org, http://sunweavers.net > >
